Privacy Policy

Last updated: January 23, 2026

Our Commitment to Your Privacy

Sasto is a HIPAA-compliant platform designed to support individuals on their recovery journey. We understand that the information you share with us is deeply personal and sensitive. Protecting your privacy is not just a legal obligation—it's central to our mission.

Information We Collect

We collect information necessary to provide our services:

  • Account Information: Name, email address, and authentication credentials
  • Location Data: GPS coordinates to verify attendance at scheduled commitments (only when you grant permission)
  • Calendar Data: Events and appointments you choose to sync with Sasto
  • Check-in Data: Your check-ins, notes, and mood entries
  • Health Information: Recovery-related information you voluntarily provide, which is treated as Protected Health Information (PHI) under HIPAA

How We Use Your Information

Your information is used solely to:

  • Provide Services: Power the features you use, including location-based accountability, reminders, and progress tracking
  • Support Your Care Team: Share relevant information with clinicians, sponsors, or care providers you explicitly authorize
  • Improve Our Platform: Analyze anonymized, aggregated data to enhance Sasto's features and reliability
  • Quality Assurance: Limited access by Sasto staff for troubleshooting and ensuring platform quality, under strict confidentiality protocols

Who Can Access Your Data

Access to your information is strictly limited:

  • You: Full access to all your data, with the ability to export or delete it at any time
  • Your Authorized Care Team: Clinicians, counselors, or sponsors you explicitly connect with can view information necessary to support your recovery
  • Sasto Staff: Limited access for quality assurance, technical support, and platform maintenance—all staff are trained on HIPAA compliance and bound by confidentiality agreements

We will never sell your personal information or share it with advertisers.

Google User Data

When you connect your Google account to Sasto, we access your Google Calendar data (read-only) and basic profile information (email, name, profile picture) to provide our accountability and scheduling services.

How we use Google data:

  • Calendar events are synced to help track your scheduled commitments and appointments
  • Your name and profile picture are displayed within the app for identification purposes
  • Your email is used for account authentication and communication

Who can access your Google data:

  • You: Full access to all your synced calendar data and profile information
  • Your Authorized Care Team: Clinicians, counselors, and care providers at treatment facilities where you are a patient can view your calendar events, name, and profile picture to provide continuing care and support your recovery journey
  • Sasto Staff: Limited access for technical support and platform maintenance only, under strict HIPAA confidentiality protocols

We do not:

  • Sell your Google user data to third parties
  • Share your Google user data with advertisers or marketing companies
  • Use your Google user data for any purpose other than providing Sasto's recovery support services
  • Transfer your Google user data outside of our secure, HIPAA-compliant infrastructure

You can revoke Sasto's access to your Google account at any time through your Google Account settings or by disconnecting your calendar within the Sasto app. Sasto's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

HIPAA Compliance

Sasto is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA). We implement administrative, physical, and technical safeguards to protect your Protected Health Information (PHI), including:

  • Encryption of data in transit and at rest
  • Role-based access controls
  • Audit logging of all data access
  • Business Associate Agreements (BAAs) with all third-party service providers
  • Regular security assessments and staff training

Location Data

Location tracking is a core feature of Sasto's accountability system. When enabled, we collect your location to verify attendance at scheduled events and commitments. You have full control over location permissions and can disable tracking at any time through your device settings or within the app. Location data is encrypted and only accessible to you and your authorized care team.

Data Retention

We retain your information for as long as your account is active or as needed to provide services. You may request deletion of your account and associated data at any time by contacting us. Some information may be retained as required by law or for legitimate business purposes (such as audit logs for HIPAA compliance).

Your Rights

You have the right to:

  • Access your personal information
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Revoke consent for data sharing at any time
  • File a complaint if you believe your privacy rights have been violated

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: privacy@sasto.ai
Address: Sasto, Inc.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of Sasto after changes are posted constitutes acceptance of the updated policy.